kern/48048: lack of unlock in procfs_map

[ryo%nerv.org@localhost]

>Number:         48048
>Category:       kern
>Synopsis:       lack of unlock in procfs_map
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 12 06:20:00 +0000 2013
>Originator:     Ryo Shimizu
>Release:        current
>Organization:
>Environment:
NetBSD netbsd 6.99.23 NetBSD 6.99.23 (XEN3_DOMU) #2: Thu Jul 11 20:20:35 JST 
2013  ryo@itaru:/disk/src/cvs/NetBSD/sys/arch/amd64/compile/XEN3_DOMU amd64
>Description:
in procfs_domap(), lack of vm_map_unlock_read() and uvmspace_free() in case of 
ENOMEM.

>How-To-Repeat:
pts/0# cat mmaptest.c
#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>
#include <machine/vmparam.h>

int
main(int argc, char *argv[])
{
        void *p;
        int i;

        /* this creates large /proc/$$/maps */
        for (i = 0; i < 10000; i++) {
                p = mmap(NULL, PAGE_SIZE * 2, PROT_READ, MAP_ANON, -1, 0);
                munmap((char *)p + PAGE_SIZE, PAGE_SIZE);
        }

        printf("pid=%d\n", getpid());
        fflush(stdout);

        pause();

        return 0;
}
pts/0# cc -Wall mmaptest.c
pts/0# ./a.out
pid=4222


pts/1# cat /proc/4222/maps
cat: maps: Cannot allocate memory
pts/1# ps aux
USER     PID %CPU %MEM   VSZ  RSS TTY     STAT STARTED     TIME COMMAND
root       0  0.0  0.9     0 4948 ?       OKl   6:57PM 25:23.28 [system]
root       1  0.0  0.3 12876 1364 ?       Is    6:57PM  0:01.65 init 
root     142  0.0  0.4 23836 1932 ?       Is    6:57PM  0:00.01 
/usr/sbin/syslogd 
root     153  0.0  0.2 12888 1268 ?       Ss    6:58PM  0:00.00 
/usr/sbin/rpcbind -l 
root     198  0.0  0.3 34404 1508 ?       Isl   6:58PM  0:00.00 /usr/sbin/nfsd 
-6tun 4 
root     216  0.0  0.3 12932 1448 ?       Ss    6:58PM  0:00.00 
/usr/sbin/rpc.statd 
root     221  0.0  0.3 12956 1372 ?       Ss    6:58PM  0:00.00 
/usr/sbin/rpc.lockd 
root     319  0.0  0.2 12892 1036 ?       Is    6:58PM  0:00.00 
/usr/sbin/powerd 
root     338  0.0  0.6 57308 2956 ?       Is    6:58PM  0:00.00 /usr/sbin/sshd 
ryo      435  0.0  0.8 76384 3952 ?       S     6:59PM  0:00.05 sshd: ryo@pts/0 
(sshd)
root     527  0.0  1.1 76384 5700 ?       Is    6:59PM  0:00.02 sshd: ryo 
[priv] 
root     565  0.0  0.3 10840 1316 ?       Ss    6:58PM  0:00.00 /usr/sbin/cron 
root     580  0.0  0.2 14992 1116 ?       Is    6:58PM  0:00.00 /usr/sbin/inetd 
-l 
root     581  0.0  0.8 49092 4048 ?       Ss    6:58PM  0:00.01 
/usr/libexec/postfix/master 
postfix  596  0.0  0.8 49212 4024 ?       I     6:58PM  0:00.01 qmgr -l -t unix 
-u 
postfix  611  0.0  0.8 49152 3968 ?       S     6:58PM  0:00.01 pickup -l -t 
fifo -u 
root     794  0.0  1.1 76384 5756 ?       Is    7:03PM  0:00.02 sshd: ryo 
[priv] 
ryo      855  0.0  0.8 76384 3952 ?       S     7:03PM  0:00.06 sshd: ryo@pts/1 
(sshd)
ryo      615  0.0  0.3  1664 1384 ttyp0   Ss    6:59PM  0:00.03 -tcsh 
^C^C^C^C^C^C
load: 0.01  cmd: ps 3739 [tstile] 0.00u 0.00s 0% 1704k
load: 0.01  cmd: ps 3739 [tstile] 0.00u 0.00s 0% 1704k
load: 0.01  cmd: ps 3739 [tstile] 0.00u 0.00s 0% 1704k
^C^C^Z^Z^Z

and cannot kill -9 4222 too.

>Fix:
Index: sys/miscfs/procfs/procfs_map.c
===================================================================
RCS file: /cvsroot/src/sys/miscfs/procfs/procfs_map.c,v
retrieving revision 1.42
diff -a -u -r1.42 procfs_map.c
--- procfs_map.c        6 May 2012 03:13:11 -0000       1.42
+++ procfs_map.c        11 Jul 2013 11:23:24 -0000
@@ -208,6 +208,8 @@
                        bufsize <<= 1;
                        if (bufsize > MAXBUFFERSIZE) {
                                error = ENOMEM;
+                               vm_map_unlock_read(map);
+                               uvmspace_free(vm);
                                goto out;
                        }
                        free(buffer, M_TEMP);